npm is a security dumpster fire. how many times do we need to get pwned before we start taking dependency management seriously? stop pulling in a million random packages and actually vet your shit.